I recently stumbled onto this old http://geocities.vuln.icec.tf/ site, it’s a miracle that it’s still up! It must be running some ancient technology and probably hasn’t been updated in years, it’s our lucky day boys!

I first solved it like probably everyone else (index.cgi -> shellshock -> list files -> (search for flag on the server…) -> see perl script that connects to a DB on the internal network -> creates a modified version of the perl script in /tmp and executes it to get the DB content as there was no mysql on the vulnerable server).

But then this challenge was really cool, it’s not every day that you have a multiple machines environment (you can practice it in a Windows and Active Directory environment here :), so time to get the big guns, metasploit and sqlmap 🙂

I used the apache_mod_cgi_bash_env_exec Shellshock exploit to get a meterpreter shell.

From there, list the files and display the perl script to get the DB connection details (host, port, user, password, database name).

To get the IP address of the DB server, look into /etc/hosts

Then use the port forwarding command to forward all connections made to a port of the local machine to the DB server in order to be able to use sqlmap on the remote DB

And finally starts sqlmap using a direct connection to the local machine and the port defined above to dump the DB

PS: from the hosts file, an attentive reader would find another interesting sounding host, but its exploitation is left as an exercise for the reader

After publishing my write-up and my “problem” with Inspeckage (I was able to see the intent but not their content), a really nice guy called mastho (from the khack40 CTF team) told me it was actually possible to do everything from Inspeckage. So time to have a deeper look!

After installation, you have to select which app you want to analyse.

Then you start the web UI and can see all the activities (exported and non exported).

It is possible to start them from here. So no need to use adb to start a broadcast intent.

After the activity starts, you then click on the button and another intent with a message is sent. Under the IPC tab, you can see that a broadcast intent was sent but not its content. That’s where I stopped during the CTF and went back to writing my own Xposed module.

Actually there is a tab called “+Hooks” that allows to create hooks on the fly. How good is that! In this case, just create a hook for the “putExtra” method of the “Intent” class…

So three possibilities: spend a lot of time reversing the native library doing the calculation, modify the app to directly write the msg content in the logs or do some dynamic analysis and write an Xposed module to intercept the intents and logs the message. I picked number 3 🙂

Actually I first tried to use Inspeckage – a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.. I could see the intents and that they have some content but not the content itself… :/

So now back to solution 3 and the Xposed module to intercept the intents and log them

I unfortunately didn’t have time to participate to the CCC CTF this year, but I wanted to look at the android reverse challenge and see if I could solve it using the Xposed Framework. So here we go, same toolkit as last time, Jadx, Genymotion and Android Studio (see here)

Firing up an emulator with API 23 and starting the app shows a keypad with cute little smileys. After clicking on “bear”, “bear”, “ghost”, “monkey”,”heart”, “burger”, a message appears, “no rootkit for you”. Same happens after pressing the “get flag” button.

So let’s open the app in jadx. There we can see an obfuscated class with native calls

So everytime a key is pressed, a new character will be appended to the attribute “e”. If its length is 6 or the “get flag” button is pressed, some magic is done and a result is displayed in a message using a Snackbar.

Let’s bruteforce it! There are only 999999 possibilities.
The idea is then to set the variable “e” and simulate a click on the “get flag” button.

We first need to find the charset for “e”, ie we need the value of “d” (this.e += d.charAt(x);). We have seen above that “d” is set in the onCreate method, so let’s hook it

So the charset is only digits, isn’t it? Wrong, wrong, wrong! (it did take me some time to realize my mistake…) It’s not “1234567890” but ” 123456789″…

Now we are nearly ready to start the brute force. We need somehow to log the popup message to get the flag. So let’s hook the make() method of the snackbar and log everything that doesn’t start with the default error message:

After reading a write up of the Trend Micro CTF about someone discovering the Xposed Framework and wanting to use it to solve CTF challenges, I decided to do the same.
In short, the Xposed framework allows to hook methods from an android application without having to modify the app.

So after winning 1000 times in a row, the flag is displayed. It is calculated based on the counter and the result of the calc() method. Unfortunately here, the calc method is a native method.Instead of starting Hopper and reversing the native lib or patching the apk to display directly the flag, let’s try to write a Xposed module for it.

Idea is then to hook up the onClick method and set the attributes to the correct values (ie set count to 999 and the attribute m and n in order to make it a wining move)